REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. I released REMnux in July 2010. Today, I’m pleased to announce REMnux version 2. You can download the new version of REMnux from its main page as a virtual appliance and as a Live CD.
This note describes the changes introduced into the distro in the 2.0 release. If REMnux interests you, take a look at the reverse-engineering malware course I teach at SANS Institute.
Malicious Website Analysis
REMnux includes the updated version of Jsunpack-n, which includes a number of new features, such as proxy support, improved handling of encrypted PDFs, and other updates.
Stunnel is now installed to assist with the interception of SSL sessions in the malware analysis lab.
REMnux now includes the RABCDAsm toolkit for reverse-engineering malicious Flash (SWF) programs. This includes:
- rabcdasm: ActionScript 3 (ABC) disassembler
- rabcasm: ABC assembler
- abcexport: ABC extractor
- abcreplace: Replaces ABC in SWF files
- swfdecompress: SWF file decompressor
Tor and torsocks were installed to ease the process of anonymizing interactions with suspicious websites. Torsocks includes the “usewithtor” utility, which makes it easy to tunnel commands through Tor (e.g., “usewithtor wget”). To launch the Tor daemon, type “tor start”; to shut it down “tor stop”.
Burp Suite Free Edition is now part of REMnux. The toolkit includes a local web proxy application, and is useful for examining and controlling interactions with suspicious websites. REMnux already included Paros proxy for accomplishing this. Burp Suite stands out with its invisible proxying feature for web clients that don’t natively support HTTP proxies.
Memory Forensics for Malware Analysis
Volatility memory forensics framework was updated to version 1.4 RC 1. This version includes a different plugin architecture, incorporating many of the standalone plugins from version 1.3 into the core distribution. The new version of Volatility has a more streamlined feel from a usability perspective. Also, it includes basic support for Windows Vista and 7. (See what’s new in Volatility 1.4.)
- Volatility 1.4 RC 1 is still a work in progress, and might have bugs. Once the final version is designated as the production release, you’ll be able to update your version on REMnux by using “svn checkout http://volatility.googlecode.com/svn/trunk/”.
- Volatility 1.4 RC1 was placed in /user/local/volatility-1.4-rc1 and can be invoked from any location on REMnux using the “volatility” command. Version 1.3 of Volatility is in /user/local/volatility 1.3. It’s present mostly because VolRip (rip.pl) is not yet compatible with Volatility 1.4. The same applies to the “psscan3" plugin.
REMnux now includes Michael Hale Ligh’s malware.py library, which implements malfind, apihooks, orphanthreads, mutantscan, ldrmodules and other malware-related Volatility plug-ins described in Malware Analyst’s Cookbook.
REMnux now also includes AESKeyFinder and RSAKeyFinder tools for finding AES and RSA keys in a memory image.
Miscellaneous Tool Additions
The pyOLEScanner.py utility is now installed to assist with the analysis of malicious Microsoft Office documents.
The libemu library was installed to obtain the “sctest” tool, which is useful for shellcode analysis. To emulate the execution of shellcode, run “sctest” such as “sctest -Ss 1000000000 < binary-shellcode”.
Added the “whois” utility for looking up domain details from the command line.
Added xortools.py and pescanner.py tools from Malware Analyst’s Cookbook.
Installed VBinDiff for viewing and comparing files.
Installed ircII to supplement the Irssi IRC client already present on REMnux.
Added the VirusTotal VTzilla Firefox extension.
Added md5deep to assist with hash calculating-operations.
Added ClamAV for manually scanning suspicious files and generating signatures when necessary. (The ClamAV daemon is not running by default on REMnux.)
Other Updates
Updated Ubuntu 9.10 packages to their current versions using “apt-get”.
Upgraded the Net::DNS Perl library to address an issue related to the operation of INetSim.
Installed diStorm disassembler library for Python to support future versions of malware.py.
Acknowledgements
Thank you to everyone who has been providing feedback regarding REMnux, both recommendations for improvement and praises that have encouraged me to continue working on it. In particular, I’d like to thank Michael Hale Ligh, Hal Pomeranz, Dave Hull, Vladimir Panteleev and Thomas Hungenberg for their help in troubleshooting a few issues when I prepared version 2 of REMnux. Also, thank you to members of the REM course mailing list for their for their REMnux improvement suggestions.